Mari DeGrazia has published a very useful post, which will help you to learn how to find and decode malicious PowerShell scripts. You will learn, which events to check, how to detect PowerShell and decode scripts. According to Mari, it’s only the first part, she will keep writing and teach us how to detect malicious PowerShell scripts in registry (part 2) …

SUMURI presented a free step by step Mac forensics guide. You will learn how to obtain system date and time, image a data source, mount acquired image, use indexing for keyword searches and report on your findings. The guide consists of 25 steps and can be downloaded here.

Heather Mahalik, the author of Practical Mobile Forensics and SANS FOR585, has written a post about forensicating iOS 11 iMessages and SMS. The first thing to be noted, common mobile forensic tools not parsing these messages correctly, at least sometimes, especially timestamps, so the best way is to parse the sms.db contents manually. The thing is – you can see …

In this post Lionel Faleiro shows how to use Powerforensics, a PowerShell framework created for hard drive forensic analysis by Jared Atkinson, for Windows LNK forensic analysis.

Here is a guide on how to remotely dump Linux RAM with LiMEaide – a python application designed to remotely dump RAM of a Linux client and create a volatility profile for later analysis on your forensic workstation. The process includes six steps: Make a remote connection with specified client over SSH Transfer necessary build files to the remote machine Build the …

Phill Moore has written a nice post in his new blog – ThinkDFIR. This post will help you to understand what orphaned files are (of course if you still don’t know).

Jason Hale has published a post about the impact of VBS on memory acqusition. With Windows 10 and Server 2016, Microsoft added the option to enable various forms of virtualization-based security (VBS), such as Credential Guard, Device Guard, Application Guard, and more. In the post you will learn which tools to use to overcome these new features.

Yogesh Khatri has published a very useful post – he shows how to find the serial number of a Mac computer or laptop. There are a few system databases that store this information and make it available for forensic investigators to use: consolidated.db cache_encryptedA.db lockCache_encryptedA.db You can find information about the databases location in the original post.

In this post Jamie McQuaid from Magnet Forensics shows how to create Android physical images via custom recovery with AXIOM, step by step. Flashing a recovery image to an Android device will work on a phone even if it has a passcode lock, bypassing it completely and allowing you to acquire a full physical image of the device.

Another interesting article has been posted by Andrea Fortuna. This time he is writing about event logs recovery from a Windows memory image. The author uses two approaches, depending on OS version. If he deals with Windows XP and 2003, he uses evtlogs Volatility plugin, for other Windows versions he uses Willi Ballenthin’s EVTXtract.